SPOTLIGHT

Combining audits on quality and environmental management systems

ISO 19011 supports new approaches in auditing and completes the ISO 9000:2000 series
ISO/TC 176 on quality management and ISO/TC 207 on environmental management have developed in close cooperation a joint standard on auditing that responds to and supports current business practices aimed at combining audits on quality and environmental management systems. ISO 19011, Guidelines for quality and environmental management systems auditing, was published in October 2002 and completes the ISO 9000 core series comprising in addition the revised ISO 9000, ISO 9001 and ISO 9004, published in December 2000. However, ISO 19011 is equally part of the ISO 14000 series on environmental management, and might set the scene for more standards that cover general management system techniques. This article describes the background and benefits of ISO 19011 and introduces the main elements of the guideline.
By Dick Hortensius and Annemarie de Jong, Co-secretaries of the ISO Joint Working Group on Auditing, Netherlands Standardization Institute, NEN

tion. On the basis of audits, accountants make statements about the accuracy of financial reports. In the last decades, audits have become known as a tool to assess whether a quality or environmental management system or part thereof conforms with requirements and is functioning well.

Importance of auditing
Auditing is an important element of the Plan-Do-Check-Act cycle on which the well known management system standards, such as ISO 9001 and ISO 14001,

The origins of auditing

The origins of auditing go back to the Roman Empire. At that time, official announcements of the authorities were communicated by messengers. To ensure that the announcements were communicated correctly, the messengers were accompanied by auditors (listeners). These auditors knew the announcements as well as the messengers themselves, and they stood as witnesses to whether the messages were broadcast fully and correctly. The auditors could then report back to the authorities on whether the messengers did a good job. In later years, the term auditing was used in the accountancy profession to refer to the assessments used to verify the reliability of financial data and informa-

The reliance that can be put in these certificates by millions of business partners, consumers and governmental agencies is to a large part based on the quality and reliability of the audits carried out.
are based. Audits are the basis for an organizations self-assessment of its capability to continually comply with stakeholder requirements related to e.g. quality, environment and occupational health and safety. Management systems provide the organizational means to ensure this capability, and audits are required in the management system standards to assess the appropriate implementation and effectiveness of these systems. Audits are also the basis
ISO BULLETIN DECEMBER 2002

19

for independent 3rd party certification of management systems. The 11 th cycle of the ISO Survey of ISO 9000 and ISO 14000 certificates shows that, by December 2001, more than 510 000 ISO 9001 certificates and more than 36 000 ISO 14001 certificates were issued all over the world, showing the importance of this activity. The reliance that can be put in these certificates by millions of business partners, consumers and governmental agencies is to a large part based on the quality and reliability of the certification audits carried out. This shows the importance of audits and is the reason that ISO developed standards on auditing already more than 15 years ago. ISO guidelines for auditing Situation in 1997

agement systems and want to optimize their audit efforts. Combining management system audits has financial and practical advantages and does not affect the reliability and usefulness of the audit outcomes. The conclusion of the study group was that these developments in the user community were best served by developing a single standard on management systems auditing. This recommendation was followed-up by the issuing of a joint new work item proposal for the development of a common ISO standard on quality and environmental auditing. This proposal was accepted by both ISO subcommittees and a joint working group (JWG) was established that met for the first time in November 1998 to develop the single auditing standard.

bol that this project goes beyond the current gap between quality and environmental management.

Main elements of ISO 19011

ISO 19011 provides guidelines for the conduct of audits on quality and/or environmental management systems. The standard provides the guidance in four main chapters :
! ! ! !

General principles of auditing Management of audit programmes Auditing activities Competence of auditors

The development of ISO 19011

This JWG on auditing was chaired by two co-conveners : Alistair Dalrymple, from the French certification body, AFAQ, on behalf of ISO/TC 176/SC 3, and Andrew Griffiths, from Degussa Metals Catalysts Cerdec, Germany, on behalf of ISO/TC 207/SC 2. During the entire process, the Netherlands Standardization Institute (NEN) played a key role as it is responsible for the secretariats of both the ISO subcommittees involved, as well as the secretariats of the Common Study Group and the Joint Working Group. It took less than four years, eight meeting of the JWG, three Committee Drafts and the usual DIS and FDIS stage to develop ISO 19011. By the way, the number 19011 the first XX011 number available at the time the work item was approved was specially granted to this project by ISO. The idea behind this choice of number was to avoid linking the standard exclusively to either the ISO 9000 or the ISO 14000 family of standards, but yet to maintain the relationship with the current auditing standards (ISO 10011 and ISO 14011). The number 19011 can also be looked upon as a sym-

The principles of auditing are included to show that management systems auditing is based on the same general principles as other types of audits such as those carried out by financial accountants. Three principles are primarily related to auditors :
!

Ethical conduct : the foundation of professionalism; Fair presentation : the obligation to report truthfully and accurately; Due professional care : the application of diligence and judgment in auditing.

ISO standards on auditing

The three parts of ISO 10011 providing guidance on the auditing of quality management systems were issued in 1991. The three separate guidelines for the auditing of environmental management systems, ISO 14010, ISO 14011 and ISO 14012, were published in 1996. During the development of the ISO 14010 series, due attention was paid to ISO 10011 and, therefore, the two sets of standards do not differ fundamentally from each other. Nevertheless, it was gradually felt that these six separate standards did not provide the best solution for today's market needs. In 1997, the two ISO subcommittees involved, ISO/TC 176/SC 3 and ISO/TC 207/SC 2, established a common study group to asses the feasibility of a more common approach to auditing. The group acknowledged that a growing number of organizations implement quality as well as environmental man-

The two other principles are primarily related to the audit process :
!

Independence : the basis for the impartiality of the audit and objectivity of audit conclusions ; Evidence-based approach : the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process.

The guidance given in ISO 19011 is based on these principles. Management of an audit programme includes all relevant activities that are necessary to facilitate the conduct of individual audits, such as appropriate planning, providing resources (financial, human), and establishing procedures. For many organizations, the audit programme will consist of the set of individual audits which are carried out to cover all elements of the management system

20

ISO BULLETIN DECEMBER 2002

in all parts of the organization during a an audit cycle. The audit programme management should plan these audits, provide the necessary resources, monitor how audits are carried out, and ensure that audit follow-up takes, for instance, corrective or improvement actions.

audit principles, procedures and techniques ; management systems and reference documents ; organizational situations, and applicable laws, regulations and other relevant requirements. In addition to these, ISO 19011 provides specific knowledge and skills that only apply to quality management system auditors and to environmental management system auditors and audit team leaders. The appropriate levels of knowledge and skills will vary according to such factors as the size, nature and complexity of the organization to be audited and the objectives and extent of the audit programme. It is up to the organization to define the appropriate levels that are suitable for ISO guidelines for its particular situaauditing tion. Therefore, ISO Situation by the end of 2002 19011 describes an auditor evaluation process that includes the setting of levels of knowledge and skills that are needed, and the education, auditor training and work and audit experience necessary to acquire them. The step-wise approach of ISO 19011 to define the knowledge and skills needed and to evaluate auditors is illustrated in the figure below.

Benefits that ISO 19011 brings

The benefits of ISO 19011 compared to the former ISO standards on auditing can be summarized as follows : 1. Better applicability to the conduct of internal audits, and also more focused on use by small and medium sized enterprises ; 2. More flexible approach to auditor qualifications and audit team selection ; 3. Applicability to combined audits, and herewith bridging the gap between quality and environmental management tools.

A growing number of organizations implement quality as well as environmental management systems and want to optimize their audit efforts.
The audit activities comprise all steps in an individual audit that is carried out for a specific purpose and with a specific scope, e.g. to determine whether the process for handling waste in department X conforms to planned arrangements and applicable legal requirements. These steps are shown below :

These benefits have been achieved by the following improvements : 1. Instead of six separate standards, comprising two different series for quality and environmental auditing, ISO 19011 provides a single set of guidelines addressing all aspects of quality and/or environmental management systems auditing. In this respect, ISO 19011 responds to market developments that show that a growing number of organizations all over the world implement both ISO 9001 and ISO 14001, either in an

Typical steps in an individual audit

Note : the dotted line indicates that audit follow-up, although very important, is usually not considered to be part of the audit.

Finally ISO 19011 provides guidelines for the competence of auditors. To be a competent auditor, a person should demonstrate the possession of a number of personal attributes and the ability to apply the knowledge and skills that are necessary to conduct an audit effectively and efficiently. Generic knowledge and skills cover areas such as :

Auditor evaluation process.

ISO BULLETIN DECEMBER 2002

21

integrated way, or not, as the case may be. These organizations want to optimize their auditing efforts, by conducting combined audits to audit their EMS and QMS together. ISO 19011 supports this practice. Because of its generic character, the guidance in ISO 19011 can easily be applied to other types of auditing, such as process and product audits, regulatory compliance audits, and other management system audits, such as occupational health and safety audits.

provides a process to evaluate whether persons have the necessary competence and can either be added to the pool of auditors for a particular audit programme, be selected to join the audit team for a particular audit, or need additional training or experience to gain or maintain his or her audit abilities. This process does not specify specific levels of competence and is therefore applicable to organizations of all types and sizes.

Because of its generic character, the guidance in ISO 19011 can easily be applied to other types of auditing, such as process and product audits, regulatory compliance audits, and other management system audits, such as occupational health and safety audits.
2. ISO 19011 provides all relevant aspects of management system auditing in a logical order, showing the interactions between the different elements of the auditing system: the management of an audit programme, the conduct of individual audits within that programme, and the evaluation of auditors to ensure the competence of auditors necessary to achieve the audit programme objectives. In the former set of ISO auditing guidelines, these elements are dealt with in separate documents, or not dealt with at all (e.g. management of environmental auditing programmes was not addressed in the ISO 14010 series). 3. ISO 19011 provides a concise set of audit principles that provides a link between the auditing of management systems and the more general audit profession (e.g. financial auditing)

JWG on auditing that adheres to the same set of generic audit principles. 4. ISO 19011 supports a Plan-Do-CheckAct (PDCA) approach to the management of audit programmes and a process approach to the conduct of individual audits ; both approaches provide for a clearer, more consistent description of the relevant activities, resulting in guidance that can readily be applied in daily practice ; 5. ISO 19011 emphasizes the relevance of establishing and managing audit programmes to facilitate effective and efficient conduct of individual audits; the audit programmes should ensure management commitment, authority for conducting audits, financial and human resources, procedures as well as monitoring, review and improvement of audit activities. 6. ISO 19011 provides a clear and generally applicable process for evaluating the competence of auditors. Instead of numerical qualification criteria for education, audit training and work and audit experience that were given in the former ISO 10011-2 and ISO 14012, and that were merely applicable to auditors conducting certification/registration audits, ISO 19011 outlines a process to determine the competence of auditors necessary in a specific audit situation. In addition, it

Merging of the ISO 10011 and the ISO 14010 series.

ISO 19011 outlines a process to determine the competence of auditors necessary in a specific audit situation.
Outlook
ISO 19011 is based on the current best practice in auditing of quality and environmental management systems. It provides guidance that can mutatis mutandis also be applied to other types of audits, such as auditing of occupational health and safety management. A study group of ISO/TC 207/SC 2 concluded that the general framework of ISO 19011 can also be used as a basis for verification of environmental reports and greenhouse gas emission reduction projects. However, in these other areas due care should be

22

ISO BULLETIN DECEMBER 2002

What is an audit?
ISO 19011 provides the following definition for an audit : Systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. Together with some other definitions given in ISO 19011, the following important characteristics and conceptual elements of an audit can be derived. Auditing is a process that needs to be planned and controlled to provide a reliable outcome. The audit process needs to be systematic, following well-established procedures. This should ensure that different auditors in the same situation come to the same conclusions. An audit should lead to impartial judgements ; this can best be assured by an independent process. This means that an auditor should not audit his or her own

activities. During an audit, the audit findings are documented, and the audit is concluded by providing a (documented) report describing how the audit was carried out and on which evidence the audit conclusions are based. This makes the audit a transparent and traceable process. During the audit, relevant information is gathered and selected. Verifiable information is called audit evidence that is assessed against the audit criteria . Information can, for instance, be records

or statements made in an interview ; crosschecking can be used to verify this information that can then be assessed against the requirements of an internal procedure. Such assessments leads to findings of conformity or non-conformity. After consideration of all findings, an auditor can draw conclusions, such as whether an organizations management system does or does not conform to requirements of a management system standard such as ISO 9001. An audit does not only provide information to determine conformity, but also information that can be used to direct an organization and improve its activities. This added value of auditing compared to control or inspection activities is, amongst others, related to the in-depth type of investigations and analysis and the search into the causes of any shortcomings or non-conformities that form the basis of all audits. The conceptual basis of auditing is summarized in the figure to the left.

given to e.g. the appropriate competence of audit teams and the application of rigorous data verification techniques. ISO 19011 is already frequently referenced in the working draft for the future ISO 17021 that will provide the requirements for bodies that certify management systems. ISO 17021 will replace the current separate Guides 62 and 66, and so you see that one joint standard will support the other. We are confident that ISO 19011 provides a sound generic, applicable framework on auditing that will prove to be useful for many different users in many different situations. The Joint Working Group of TC 176 and TC 207 experts which developed ISO 19011 has been compared with the Australian platypus a perfect combination of two rather distinct animals !
ISO BULLETIN DECEMBER 2002

23